[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossig] For goodness sake, stop using IE already!

To: OSSIG-General <ossig@mncc.com.my>, MY Open Source <myoss@my-opensource.org>
Subject: [ossig] For goodness sake, stop using IE already!
From: Mukhsein Johari <pythonium@yahoo.com>
Date: Wed, 7 Jan 2004 20:13:41 -0800 (PST)
Reply-To: ossig@mncc.com.my
Sender: owner-ossig@mncc.com.my

This is a serious vulnerability - what with the
proliferation
of web based apps that require sensitive info being
input by the user. (credit cards, internet banking,
web-email!)

Switch to mozilla today! :-)

------

Fix for URL Spoofing Security Vulnerability Checked in
to Mozilla Trunk and 1.6 Branch

The latest nightly builds of Mozilla feature a fix for
the URL spoofing security vulnerability discovered in
several browsers last month. A patch was checked in to
the trunk and 1.6 branch yesterday, meaning that both
the forthcoming Mozilla 1.6 and Mozilla Firebird 0.8
will be immune to the flaw.

In vulnerable versions of Mozilla, the address
displayed in the Status Bar while hovering over a link
is truncated if the characters %00 are present in the
URL of the destination page. An attacker could exploit
this to make a link that goes to
http://www.microsoft.com%01%00@evilscam.net (real
location evilscam.net) but appears in the Status Bar
as simply http://www.microsoft.com. By fooling a user
into believing that he or she is visiting a trusted
site, an attacker could trick him or her into
revealing sensitive information such as credit card
details.

The flaw was originally detected in Microsoft Internet
Explorer before also being spotted in Mozilla. The IE
variant is more serious, however, as it affects not
only the URL displayed in the Status Bar but also the
URL shown Address Bar after following a spoofed link.
At the time of writing, Microsoft has acknowledged the
problem but not yet issued a patch.

Full technical details of the fix are in bug 228176.
The Secunia Internet Explorer Address Bar Spoofing
Test page
(http://www.secunia.com/internet_explorer_address_bar_spoofing_test)
allows browser users to check whether their software
is vulnerable.

------


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

---------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message

Follow-Ups:
- Re: [ossig] For goodness sake, stop using IE already!
  - From: Khairil Yusof <kaeru@streamyx.com>

Prev by Date: Re: [ossig] Linux live cds - "Unix is hard to install"
Next by Date: Re: [ossig] Linux live cds - "Unix is hard to install"
Prev by thread: [ossig] PrintShop Substitue
Next by thread: Re: [ossig] For goodness sake, stop using IE already!
Index(es):
- Date
- Thread